import nss-3.71.0-7.el9
This commit is contained in:
parent
ac2d330882
commit
962a77507e
|
@ -1,7 +1,5 @@
|
||||||
SOURCES/blank-cert8.db
|
SOURCES/PayPalEE.cert
|
||||||
SOURCES/blank-cert9.db
|
SOURCES/blank-cert9.db
|
||||||
SOURCES/blank-key3.db
|
|
||||||
SOURCES/blank-key4.db
|
SOURCES/blank-key4.db
|
||||||
SOURCES/blank-secmod.db
|
|
||||||
SOURCES/nspr-4.32.tar.gz
|
SOURCES/nspr-4.32.tar.gz
|
||||||
SOURCES/nss-3.71.tar.gz
|
SOURCES/nss-3.71.tar.gz
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
|
5c92efcd23ae5dc57c4f0a3903d662365bca008c SOURCES/PayPalEE.cert
|
||||||
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
|
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
|
||||||
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
|
|
||||||
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
|
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
|
||||||
bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
|
|
||||||
28e05ef5cbe6e7cde239d3cdcccabf571ec73f69 SOURCES/nspr-4.32.tar.gz
|
28e05ef5cbe6e7cde239d3cdcccabf571ec73f69 SOURCES/nspr-4.32.tar.gz
|
||||||
b60e3e0a2765d4009347e08dc9792a4dc4aded03 SOURCES/nss-3.71.tar.gz
|
b60e3e0a2765d4009347e08dc9792a4dc4aded03 SOURCES/nss-3.71.tar.gz
|
||||||
|
|
|
@ -1,59 +0,0 @@
|
||||||
<?xml version='1.0' encoding='utf-8'?>
|
|
||||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
|
||||||
<!ENTITY date SYSTEM "date.xml">
|
|
||||||
<!ENTITY version SYSTEM "version.xml">
|
|
||||||
]>
|
|
||||||
|
|
||||||
<refentry id="cert8.db">
|
|
||||||
|
|
||||||
<refentryinfo>
|
|
||||||
<date>&date;</date>
|
|
||||||
<title>Network Security Services</title>
|
|
||||||
<productname>nss</productname>
|
|
||||||
<productnumber>&version;</productnumber>
|
|
||||||
</refentryinfo>
|
|
||||||
|
|
||||||
<refmeta>
|
|
||||||
<refentrytitle>cert8.db</refentrytitle>
|
|
||||||
<manvolnum>5</manvolnum>
|
|
||||||
</refmeta>
|
|
||||||
|
|
||||||
<refnamediv>
|
|
||||||
<refname>cert8.db</refname>
|
|
||||||
<refpurpose>Legacy NSS certificate database</refpurpose>
|
|
||||||
</refnamediv>
|
|
||||||
|
|
||||||
<refsection id="description">
|
|
||||||
<title>Description</title>
|
|
||||||
<para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
|
|
||||||
<para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
|
|
||||||
</para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<refsection>
|
|
||||||
<title>Files</title>
|
|
||||||
<para><filename>/etc/pki/nssdb/cert8.db</filename></para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<refsection>
|
|
||||||
<title>See also</title>
|
|
||||||
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<refsection id="authors">
|
|
||||||
<title>Authors</title>
|
|
||||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
|
||||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<!-- don't change -->
|
|
||||||
<refsection id="license">
|
|
||||||
<title>LICENSE</title>
|
|
||||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
||||||
</para>
|
|
||||||
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
|
|
||||||
</refentry>
|
|
|
@ -1,59 +0,0 @@
|
||||||
<?xml version='1.0' encoding='utf-8'?>
|
|
||||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
|
||||||
<!ENTITY date SYSTEM "date.xml">
|
|
||||||
<!ENTITY version SYSTEM "version.xml">
|
|
||||||
]>
|
|
||||||
|
|
||||||
<refentry id="key3.db">
|
|
||||||
|
|
||||||
<refentryinfo>
|
|
||||||
<date>&date;</date>
|
|
||||||
<title>Network Security Services</title>
|
|
||||||
<productname>nss</productname>
|
|
||||||
<productnumber>&version;</productnumber>
|
|
||||||
</refentryinfo>
|
|
||||||
|
|
||||||
<refmeta>
|
|
||||||
<refentrytitle>key3.db</refentrytitle>
|
|
||||||
<manvolnum>5</manvolnum>
|
|
||||||
</refmeta>
|
|
||||||
|
|
||||||
<refnamediv>
|
|
||||||
<refname>key3.db</refname>
|
|
||||||
<refpurpose>Legacy NSS certificate database</refpurpose>
|
|
||||||
</refnamediv>
|
|
||||||
|
|
||||||
<refsection id="description">
|
|
||||||
<title>Description</title>
|
|
||||||
<para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
|
|
||||||
<para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
|
|
||||||
</para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<refsection>
|
|
||||||
<title>Files</title>
|
|
||||||
<para><filename>/etc/pki/nssdb/key3.db</filename></para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<refsection>
|
|
||||||
<title>See also</title>
|
|
||||||
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<refsection id="authors">
|
|
||||||
<title>Authors</title>
|
|
||||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
|
||||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<!-- don't change -->
|
|
||||||
<refsection id="license">
|
|
||||||
<title>LICENSE</title>
|
|
||||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
||||||
</para>
|
|
||||||
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
|
|
||||||
</refentry>
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml
|
||||||
|
--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800
|
||||||
|
+++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800
|
||||||
|
@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre
|
||||||
|
|
||||||
|
<refsection id="encryption">
|
||||||
|
<title>Password Encryption</title>
|
||||||
|
- <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
|
||||||
|
+ <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
|
||||||
|
<para>The private key is always protected with strong encryption by default.</para>
|
||||||
|
<para>Several types of ciphers are supported.</para>
|
||||||
|
<variablelist>
|
||||||
|
@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre
|
||||||
|
<listitem>
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
|
||||||
|
+ <listitem><para>PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme (<userinput>"CAMELLIA-128-CBC"</userinput>, <userinput>"CAMELLIA-192-CBC"</userinput>, and <userinput>"CAMELLIA-256-CBC"</userinput>)</para></listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
|
@ -0,0 +1,36 @@
|
||||||
|
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||||
|
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||||
|
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||||
|
@@ -8,23 +8,32 @@
|
||||||
|
|
||||||
|
#include "prtime.h"
|
||||||
|
#include "secerr.h"
|
||||||
|
#include "ssl.h"
|
||||||
|
|
||||||
|
#include "gtest_utils.h"
|
||||||
|
#include "tls_agent.h"
|
||||||
|
#include "tls_connect.h"
|
||||||
|
+#define LTO
|
||||||
|
|
||||||
|
namespace nss_test {
|
||||||
|
|
||||||
|
+#ifndef LTO
|
||||||
|
+// sigh this construction breaks LTO
|
||||||
|
const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256;
|
||||||
|
const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048;
|
||||||
|
const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048;
|
||||||
|
const std::string kDCId = TlsAgent::kServerEcdsa256;
|
||||||
|
+#else
|
||||||
|
+#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256
|
||||||
|
+#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048
|
||||||
|
+#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048
|
||||||
|
+#define kDCId TlsAgent::kServerEcdsa256
|
||||||
|
+#endif
|
||||||
|
const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256;
|
||||||
|
const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
|
||||||
|
|
||||||
|
static void CheckPreliminaryPeerDelegCred(
|
||||||
|
const std::shared_ptr<TlsAgent>& client, bool expected,
|
||||||
|
PRUint32 key_bits = 0, SSLSignatureScheme sig_scheme = ssl_sig_none) {
|
||||||
|
EXPECT_NE(0U, (client->pre_info().valuesSet & ssl_preinfo_peer_auth));
|
||||||
|
EXPECT_EQ(expected, client->pre_info().peerDelegCred);
|
|
@ -0,0 +1,257 @@
|
||||||
|
diff --git a/cmd/pk12util/pk12util.c b/cmd/pk12util/pk12util.c
|
||||||
|
--- a/cmd/pk12util/pk12util.c
|
||||||
|
+++ b/cmd/pk12util/pk12util.c
|
||||||
|
@@ -660,16 +660,27 @@ P12U_ExportPKCS12Object(char *nn, char *
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Password to use for PKCS12 file. */
|
||||||
|
pwitem = P12U_GetP12FilePassword(PR_TRUE, p12FilePw);
|
||||||
|
if (!pwitem) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* we are passing UTF8, drop the NULL in the normal password value.
|
||||||
|
+ * UCS2 conversion will add it back if necessary. This only affects
|
||||||
|
+ * password > Blocksize of the Hash function and pkcs5v2 pbe (if password
|
||||||
|
+ * <=Blocksize then the password is zero padded anyway, so an extra NULL
|
||||||
|
+ * at the end has not effect). This is allows us to work with openssl and
|
||||||
|
+ * gnutls. Older versions of NSS already fail to decrypt long passwords
|
||||||
|
+ * in this case, so we aren't breaking anyone with this code */
|
||||||
|
+ if ((pwitem->len > 1) && (!pwitem->data[pwitem->len-1])) {
|
||||||
|
+ pwitem->len--;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
p12cxt = p12u_InitContext(PR_FALSE, outfile);
|
||||||
|
if (!p12cxt) {
|
||||||
|
SECU_PrintError(progName, "Initialization failed: %s", outfile);
|
||||||
|
pk12uErrno = PK12UERR_INIT_FILE;
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (certlist) {
|
||||||
|
diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
|
||||||
|
--- a/lib/pkcs12/p12local.c
|
||||||
|
+++ b/lib/pkcs12/p12local.c
|
||||||
|
@@ -903,31 +903,35 @@ sec_pkcs12_find_object(SEC_PKCS12SafeCon
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* this function converts a password to unicode and encures that the
|
||||||
|
- * required double 0 byte be placed at the end of the string
|
||||||
|
+/* this function converts a password to unicode and ensures that the
|
||||||
|
+ * required double 0 byte be placed at the end of the string (if zeroTerm
|
||||||
|
+ * is set), or the 0 bytes at the end are dropped (if zeroTerm is not set).
|
||||||
|
*/
|
||||||
|
PRBool
|
||||||
|
sec_pkcs12_convert_item_to_unicode(PLArenaPool *arena, SECItem *dest,
|
||||||
|
SECItem *src, PRBool zeroTerm,
|
||||||
|
PRBool asciiConvert, PRBool toUnicode)
|
||||||
|
{
|
||||||
|
PRBool success = PR_FALSE;
|
||||||
|
+ int bufferSize;
|
||||||
|
+
|
||||||
|
if (!src || !dest) {
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||||
|
return PR_FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- dest->len = src->len * 3 + 2;
|
||||||
|
+ bufferSize = src->len * 3 + 2;
|
||||||
|
+ dest->len = bufferSize;
|
||||||
|
if (arena) {
|
||||||
|
dest->data = (unsigned char *)PORT_ArenaZAlloc(arena, dest->len);
|
||||||
|
} else {
|
||||||
|
dest->data = (unsigned char *)PORT_ZAlloc(dest->len);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!dest->data) {
|
||||||
|
dest->len = 0;
|
||||||
|
@@ -951,34 +955,44 @@ sec_pkcs12_convert_item_to_unicode(PLAre
|
||||||
|
if (!arena) {
|
||||||
|
PORT_Free(dest->data);
|
||||||
|
dest->data = NULL;
|
||||||
|
dest->len = 0;
|
||||||
|
}
|
||||||
|
return PR_FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ((dest->len >= 2) &&
|
||||||
|
- (dest->data[dest->len - 1] || dest->data[dest->len - 2]) && zeroTerm) {
|
||||||
|
- if (dest->len + 2 > 3 * src->len) {
|
||||||
|
- if (arena) {
|
||||||
|
- dest->data = (unsigned char *)PORT_ArenaGrow(arena,
|
||||||
|
- dest->data, dest->len,
|
||||||
|
- dest->len + 2);
|
||||||
|
- } else {
|
||||||
|
- dest->data = (unsigned char *)PORT_Realloc(dest->data,
|
||||||
|
- dest->len + 2);
|
||||||
|
+ /* in some cases we need to add NULL terminations and in others
|
||||||
|
+ * we need to drop null terminations */
|
||||||
|
+ if (zeroTerm) {
|
||||||
|
+ /* unicode adds two nulls a the end */
|
||||||
|
+ if (toUnicode) {
|
||||||
|
+ if ((dest->len >= 2) &&
|
||||||
|
+ (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
|
||||||
|
+ /* we've already allocated space for these new NULLs */
|
||||||
|
+ PORT_Assert(dest->len + 2 <= bufferSize);
|
||||||
|
+ dest->len += 2;
|
||||||
|
+ dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- if (!dest->data) {
|
||||||
|
- return PR_FALSE;
|
||||||
|
+ /* ascii/utf-8 adds just 1 */
|
||||||
|
+ } else if ((dest->len >= 1) && dest->data[dest->len-1]) {
|
||||||
|
+ PORT_Assert(dest->len + 1 <= bufferSize);
|
||||||
|
+ dest->len ++;
|
||||||
|
+ dest->data[dest->len-1] = 0;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ /* handle the drop case, no need to do any allocations here. */
|
||||||
|
+ if (toUnicode) {
|
||||||
|
+ while ((dest->len >=2) && !dest->data[dest->len - 1] &&
|
||||||
|
+ !dest->data[dest->len - 2]) {
|
||||||
|
+ dest->len -= 2;
|
||||||
|
}
|
||||||
|
+ } else while (dest->len && !dest->data[dest->len-1]) {
|
||||||
|
+ dest->len--;
|
||||||
|
}
|
||||||
|
- dest->len += 2;
|
||||||
|
- dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
return PR_TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
PRBool
|
||||||
|
sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm)
|
||||||
|
{
|
||||||
|
@@ -1006,27 +1020,28 @@ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOi
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* this function decodes a password from Unicode if necessary,
|
||||||
|
* according to the PBE algorithm.
|
||||||
|
*
|
||||||
|
* we assume that the pwitem is already encoded in Unicode by the
|
||||||
|
* caller. if the encryption scheme is not the one defined in PKCS
|
||||||
|
- * #12, decode the pwitem back into UTF-8. */
|
||||||
|
+ * #12, decode the pwitem back into UTF-8. NOTE: UTF-8 strings are
|
||||||
|
+ * used in the PRF without the trailing NULL */
|
||||||
|
PRBool
|
||||||
|
sec_pkcs12_decode_password(PLArenaPool *arena,
|
||||||
|
SECItem *result,
|
||||||
|
SECOidTag algorithm,
|
||||||
|
const SECItem *pwitem)
|
||||||
|
{
|
||||||
|
if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm))
|
||||||
|
return sec_pkcs12_convert_item_to_unicode(arena, result,
|
||||||
|
(SECItem *)pwitem,
|
||||||
|
- PR_TRUE, PR_FALSE, PR_FALSE);
|
||||||
|
+ PR_FALSE, PR_FALSE, PR_FALSE);
|
||||||
|
|
||||||
|
return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* this function encodes a password into Unicode if necessary,
|
||||||
|
* according to the PBE algorithm.
|
||||||
|
*
|
||||||
|
* we assume that the pwitem holds a raw password. if the encryption
|
||||||
|
diff --git a/tests/common/init.sh b/tests/common/init.sh
|
||||||
|
--- a/tests/common/init.sh
|
||||||
|
+++ b/tests/common/init.sh
|
||||||
|
@@ -78,25 +78,27 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
|
||||||
|
|
||||||
|
CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
|
||||||
|
STAPLINGDIR=${HOSTDIR}/stapling
|
||||||
|
NOLOGINDIR=${HOSTDIR}/nologin
|
||||||
|
SSLGTESTDIR=${HOSTDIR}/ssl_gtests
|
||||||
|
GTESTDIR=${HOSTDIR}/gtests
|
||||||
|
|
||||||
|
PWFILE=${HOSTDIR}/tests.pw
|
||||||
|
+ LONGPWFILE=${HOSTDIR}/tests.longpw
|
||||||
|
EMPTY_FILE=${HOSTDIR}/tests_empty
|
||||||
|
NOISE_FILE=${HOSTDIR}/tests_noise
|
||||||
|
CORELIST_FILE=${HOSTDIR}/clist
|
||||||
|
|
||||||
|
FIPSPWFILE=${HOSTDIR}/tests.fipspw
|
||||||
|
FIPSBADPWFILE=${HOSTDIR}/tests.fipsbadpw
|
||||||
|
FIPSP12PWFILE=${HOSTDIR}/tests.fipsp12pw
|
||||||
|
|
||||||
|
echo nss > ${PWFILE}
|
||||||
|
+ echo "nss123456789012345678901234567890123456789012345678901234567890_" > ${LONGPWFILE}
|
||||||
|
echo > ${EMPTY_FILE}
|
||||||
|
echo "fIps140" > ${FIPSPWFILE}
|
||||||
|
echo "fips104" > ${FIPSBADPWFILE}
|
||||||
|
echo "pKcs12fips140" > ${FIPSP12PWFILE}
|
||||||
|
|
||||||
|
noise
|
||||||
|
|
||||||
|
P_SERVER_CADIR=${SERVER_CADIR}
|
||||||
|
@@ -656,16 +658,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
|
||||||
|
P_R_NOLOGINDIR="multiaccess:${D_NOLOGIN}"
|
||||||
|
P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
|
||||||
|
P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
|
||||||
|
P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}"
|
||||||
|
P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
R_PWFILE=../tests.pw
|
||||||
|
+ R_LONGPWFILE=../tests.longpw
|
||||||
|
R_EMPTY_FILE=../tests_empty
|
||||||
|
R_NOISE_FILE=../tests_noise
|
||||||
|
|
||||||
|
R_FIPSPWFILE=../tests.fipspw
|
||||||
|
R_FIPSBADPWFILE=../tests.fipsbadpw
|
||||||
|
R_FIPSP12PWFILE=../tests.fipsp12pw
|
||||||
|
|
||||||
|
trap "Exit $0 Signal_caught" 2 3
|
||||||
|
diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
|
||||||
|
--- a/tests/tools/tools.sh
|
||||||
|
+++ b/tests/tools/tools.sh
|
||||||
|
@@ -382,16 +382,40 @@ tools_p12_export_list_import_with_defaul
|
||||||
|
check_tmpfile
|
||||||
|
|
||||||
|
echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
|
||||||
|
echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
|
||||||
|
${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
|
||||||
|
ret=$?
|
||||||
|
html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
|
||||||
|
check_tmpfile
|
||||||
|
+
|
||||||
|
+ echo "$SCRIPTNAME: Exporting Alice's email EC cert & key with long pw------"
|
||||||
|
+ echo "pk12util -o Alice-ec-long.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
|
||||||
|
+ echo " -w ${R_LONGPWFILE}"
|
||||||
|
+ ${BINDIR}/pk12util -o Alice-ec-long.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
|
||||||
|
+ -w ${R_LONGPWFILE} 2>&1
|
||||||
|
+ ret=$?
|
||||||
|
+ html_msg $ret 0 "Exporting Alice's email EC cert & key with long pw (pk12util -o)"
|
||||||
|
+ check_tmpfile
|
||||||
|
+ verify_p12 Alice-ec-long.p12 "default" "default" "default"
|
||||||
|
+
|
||||||
|
+ echo "$SCRIPTNAME: Importing Alice's email EC cert & key with long pw-----"
|
||||||
|
+ echo "pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE}"
|
||||||
|
+ ${BINDIR}/pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE} 2>&1
|
||||||
|
+ ret=$?
|
||||||
|
+ html_msg $ret 0 "Importing Alice's email EC cert & key with long pw (pk12util -i)"
|
||||||
|
+ check_tmpfile
|
||||||
|
+
|
||||||
|
+ echo "$SCRIPTNAME: Listing Alice's pk12 EC file with long pw ------------"
|
||||||
|
+ echo "pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE}"
|
||||||
|
+ ${BINDIR}/pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE} 2>&1
|
||||||
|
+ ret=$?
|
||||||
|
+ html_msg $ret 0 "Listing Alice's pk12 EC file with long pw (pk12util -l)"
|
||||||
|
+ check_tmpfile
|
||||||
|
}
|
||||||
|
|
||||||
|
tools_p12_import_old_files()
|
||||||
|
{
|
||||||
|
echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------"
|
||||||
|
echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
|
||||||
|
${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
|
||||||
|
ret=$?
|
|
@ -1,63 +0,0 @@
|
||||||
<?xml version='1.0' encoding='utf-8'?>
|
|
||||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
|
||||||
<!ENTITY date SYSTEM "date.xml">
|
|
||||||
<!ENTITY version SYSTEM "version.xml">
|
|
||||||
]>
|
|
||||||
|
|
||||||
<refentry id="secmod.db">
|
|
||||||
|
|
||||||
<refentryinfo>
|
|
||||||
<date>&date;</date>
|
|
||||||
<title>Network Security Services</title>
|
|
||||||
<productname>nss</productname>
|
|
||||||
<productnumber>&version;</productnumber>
|
|
||||||
</refentryinfo>
|
|
||||||
|
|
||||||
<refmeta>
|
|
||||||
<refentrytitle>secmod.db</refentrytitle>
|
|
||||||
<manvolnum>5</manvolnum>
|
|
||||||
</refmeta>
|
|
||||||
|
|
||||||
<refnamediv>
|
|
||||||
<refname>secmod.db</refname>
|
|
||||||
<refpurpose>Legacy NSS security modules database</refpurpose>
|
|
||||||
</refnamediv>
|
|
||||||
|
|
||||||
<refsection id="description">
|
|
||||||
<title>Description</title>
|
|
||||||
<para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
|
|
||||||
<para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
|
|
||||||
</para>
|
|
||||||
<para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
|
|
||||||
</para>
|
|
||||||
<para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
|
|
||||||
</para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<refsection>
|
|
||||||
<title>Files</title>
|
|
||||||
<para><filename>/etc/pki/nssdb/secmod.db</filename></para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<refsection>
|
|
||||||
<title>See also</title>
|
|
||||||
<para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<refsection id="authors">
|
|
||||||
<title>Authors</title>
|
|
||||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
|
||||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
<!-- don't change -->
|
|
||||||
<refsection id="license">
|
|
||||||
<title>LICENSE</title>
|
|
||||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
||||||
</para>
|
|
||||||
|
|
||||||
</refsection>
|
|
||||||
|
|
||||||
|
|
||||||
</refentry>
|
|
|
@ -4,7 +4,7 @@
|
||||||
# - increment %%{nspr_version}, when updating the NSS part only
|
# - increment %%{nspr_version}, when updating the NSS part only
|
||||||
# - put the nss_release number here next to nspr, as they both
|
# - put the nss_release number here next to nspr, as they both
|
||||||
# need to be updated on a given release
|
# need to be updated on a given release
|
||||||
%global nss_release 3
|
%global nss_release 7
|
||||||
%global nspr_release %[ %nss_release+2]
|
%global nspr_release %[ %nss_release+2]
|
||||||
%global nss_version 3.71.0
|
%global nss_version 3.71.0
|
||||||
# only need to update this as we added new
|
# only need to update this as we added new
|
||||||
|
@ -90,22 +90,28 @@ Source6: nss-softokn-dracut-module-setup.sh
|
||||||
Source7: nss-softokn-dracut.conf
|
Source7: nss-softokn-dracut.conf
|
||||||
Source8: nss.pc.in
|
Source8: nss.pc.in
|
||||||
Source9: nss-config.in
|
Source9: nss-config.in
|
||||||
|
%if %{with dbm}
|
||||||
Source10: blank-cert8.db
|
Source10: blank-cert8.db
|
||||||
Source11: blank-key3.db
|
Source11: blank-key3.db
|
||||||
Source12: blank-secmod.db
|
Source12: blank-secmod.db
|
||||||
|
%endif
|
||||||
Source13: blank-cert9.db
|
Source13: blank-cert9.db
|
||||||
Source14: blank-key4.db
|
Source14: blank-key4.db
|
||||||
Source15: system-pkcs11.txt
|
Source15: system-pkcs11.txt
|
||||||
Source16: setup-nsssysinit.sh
|
Source16: setup-nsssysinit.sh
|
||||||
Source20: nss-config.xml
|
Source20: nss-config.xml
|
||||||
Source21: setup-nsssysinit.xml
|
Source21: setup-nsssysinit.xml
|
||||||
Source22: pkcs11.txt.xml
|
%if %{with dbm}
|
||||||
Source23: cert8.db.xml
|
Source23: cert8.db.xml
|
||||||
Source24: cert9.db.xml
|
|
||||||
Source25: key3.db.xml
|
Source25: key3.db.xml
|
||||||
Source26: key4.db.xml
|
|
||||||
Source27: secmod.db.xml
|
Source27: secmod.db.xml
|
||||||
|
%endif
|
||||||
|
Source22: pkcs11.txt.xml
|
||||||
|
Source24: cert9.db.xml
|
||||||
|
Source26: key4.db.xml
|
||||||
Source28: nss-p11-kit.config
|
Source28: nss-p11-kit.config
|
||||||
|
Source30: PayPalEE.cert
|
||||||
|
|
||||||
|
|
||||||
Source100: nspr-%{nspr_archive_version}.tar.gz
|
Source100: nspr-%{nspr_archive_version}.tar.gz
|
||||||
Source101: nspr-config.xml
|
Source101: nspr-config.xml
|
||||||
|
@ -140,6 +146,12 @@ Patch50: nss-3.71-fips-module-name.patch
|
||||||
# upstream bug https://buzilla.mozilla.org/show_bug.cgi?id=1737470
|
# upstream bug https://buzilla.mozilla.org/show_bug.cgi?id=1737470
|
||||||
Patch60: nss-3.67-cve-2021-43527.patch
|
Patch60: nss-3.67-cve-2021-43527.patch
|
||||||
Patch70: nss-3.67-cve-2021-43527-test.patch
|
Patch70: nss-3.67-cve-2021-43527-test.patch
|
||||||
|
# not upstreamable patch...
|
||||||
|
Patch80: nss-3.71-fix-lto-gtests.patch
|
||||||
|
# camellia pkcs12 docs.
|
||||||
|
patch85: nss-3.71-camellia-pkcs12-doc.patch
|
||||||
|
# fix issue with long passwords in pkcs12
|
||||||
|
patch90: nss-3.75-fix-pkcs12-passwords.patch
|
||||||
|
|
||||||
Patch100: nspr-config-pc.patch
|
Patch100: nspr-config-pc.patch
|
||||||
Patch101: nspr-gcc-atomics.patch
|
Patch101: nspr-gcc-atomics.patch
|
||||||
|
@ -301,6 +313,7 @@ Header files for doing development with the Netscape Portable Runtime.
|
||||||
%setup -q -T -b 0 -n %{name}-%{nss_archive_version}
|
%setup -q -T -b 0 -n %{name}-%{nss_archive_version}
|
||||||
mv ../nspr-%{nspr_archive_version}/nspr .
|
mv ../nspr-%{nspr_archive_version}/nspr .
|
||||||
cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in
|
cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in
|
||||||
|
%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
|
||||||
|
|
||||||
%patch100 -p0 -b .flags
|
%patch100 -p0 -b .flags
|
||||||
pushd nspr
|
pushd nspr
|
||||||
|
@ -361,7 +374,7 @@ popd
|
||||||
# Build NSS
|
# Build NSS
|
||||||
#
|
#
|
||||||
# This package fails its testsuite with LTO. Disable LTO for now
|
# This package fails its testsuite with LTO. Disable LTO for now
|
||||||
%global _lto_cflags %{nil}
|
#%%global _lto_cflags %%{nil}
|
||||||
|
|
||||||
#export FREEBL_NO_DEPEND=1
|
#export FREEBL_NO_DEPEND=1
|
||||||
|
|
||||||
|
@ -540,20 +553,22 @@ date +"%e %B %Y" | tr -d '\n' > date.xml
|
||||||
echo -n %{nss_version} > version.xml
|
echo -n %{nss_version} > version.xml
|
||||||
|
|
||||||
# configuration files and setup script
|
# configuration files and setup script
|
||||||
for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
|
for m in %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE24} %{SOURCE26}; do
|
||||||
cp ${m} .
|
cp ${m} .
|
||||||
done
|
done
|
||||||
for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
|
for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml cert9.db.xml key4.db.xml; do
|
||||||
xmlto man ${m}
|
xmlto man ${m}
|
||||||
done
|
done
|
||||||
|
|
||||||
# nss databases considered to be configuration files
|
%if %{with dbm}
|
||||||
for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
|
# nss dbm databases
|
||||||
|
for m in %{SOURCE23} %{SOURCE25} %{SOURCE27}; do
|
||||||
cp ${m} .
|
cp ${m} .
|
||||||
done
|
done
|
||||||
for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
|
for m in cert8.db.xml key3.db.xml secmod.db.xml; do
|
||||||
xmlto man ${m}
|
xmlto man ${m}
|
||||||
done
|
done
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%check
|
%check
|
||||||
|
@ -704,9 +719,11 @@ done
|
||||||
# Install the empty NSS db files
|
# Install the empty NSS db files
|
||||||
# Legacy db
|
# Legacy db
|
||||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
|
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
|
||||||
|
%if %{with dbm}
|
||||||
install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
|
install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
|
||||||
install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
|
install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
|
||||||
install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
|
install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
|
||||||
|
%endif
|
||||||
# Shared db
|
# Shared db
|
||||||
install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
|
install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
|
||||||
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
|
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
|
||||||
|
@ -782,13 +799,15 @@ install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tool
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Copy the man pages for the configuration files
|
# Copy the man pages for the configuration files
|
||||||
for f in pkcs11.txt; do
|
for f in pkcs11.txt cert9.db key4.db; do
|
||||||
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
|
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
|
||||||
done
|
done
|
||||||
# Copy the man pages for the nss databases
|
# Copy the man pages for the nss dbm databases
|
||||||
for f in cert8.db cert9.db key3.db key4.db secmod.db; do
|
%if %{with dbm}
|
||||||
|
for f in cert8.db key3.db secmod.db; do
|
||||||
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
|
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
|
||||||
done
|
done
|
||||||
|
%endif
|
||||||
|
|
||||||
# Copy the crypto-policies configuration file
|
# Copy the crypto-policies configuration file
|
||||||
install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
|
install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
|
||||||
|
@ -823,16 +842,20 @@ update-crypto-policies &> /dev/null || :
|
||||||
%{_libdir}/libssl3.so
|
%{_libdir}/libssl3.so
|
||||||
%{_libdir}/libsmime3.so
|
%{_libdir}/libsmime3.so
|
||||||
%dir %{_sysconfdir}/pki/nssdb
|
%dir %{_sysconfdir}/pki/nssdb
|
||||||
|
%if %{with dbm}
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
|
||||||
|
%endif
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
|
||||||
|
%if %{with dbm}
|
||||||
%doc %{_mandir}/man5/cert8.db.5*
|
%doc %{_mandir}/man5/cert8.db.5*
|
||||||
%doc %{_mandir}/man5/key3.db.5*
|
%doc %{_mandir}/man5/key3.db.5*
|
||||||
%doc %{_mandir}/man5/secmod.db.5*
|
%doc %{_mandir}/man5/secmod.db.5*
|
||||||
|
%endif
|
||||||
%doc %{_mandir}/man5/cert9.db.5*
|
%doc %{_mandir}/man5/cert9.db.5*
|
||||||
%doc %{_mandir}/man5/key4.db.5*
|
%doc %{_mandir}/man5/key4.db.5*
|
||||||
%doc %{_mandir}/man5/pkcs11.txt.5*
|
%doc %{_mandir}/man5/pkcs11.txt.5*
|
||||||
|
@ -1084,6 +1107,17 @@ update-crypto-policies &> /dev/null || :
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-7
|
||||||
|
- Fix handling of pkcs12 passwords for PKCS5v2 cases which causes failures
|
||||||
|
on long passwords.
|
||||||
|
|
||||||
|
* Wed Jan 26 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-6
|
||||||
|
- update pkcs12 documentation to include camellia
|
||||||
|
- turn on lto
|
||||||
|
|
||||||
|
* Wed Jan 12 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-5
|
||||||
|
- remove old dbm files from the build
|
||||||
|
|
||||||
* Wed Dec 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-2
|
* Wed Dec 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-2
|
||||||
- Fix CVE-2021-43527
|
- Fix CVE-2021-43527
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue